Privacy and Confidentiality Policy

Last Updated: May 30, 2025

We want you to be able to view past versions of the policy so that you know what's changed.

Previous privacy policies:

1. Policy Statement

Chain For Change – CFC ("the Organization") is committed to ensuring the privacy, confidentiality, security, and lawful handling of all personal and sensitive data. This Privacy and Confidentiality Policy sets out how the Organization collects, uses, stores, discloses, and protects the personal information of users, stakeholders, and visitors across all platforms operated by CFC, including but not limited to mobile applications, websites, partner platforms, and in-person engagements.

CFC upholds the highest standards of data protection in line with the Constitution of Nepal 2015, the Electronic Transactions Act 2063 (2008), the Privacy Act 2075 (2018), and is committed to meeting international standards including the policies of global platforms such as Google and Apple.

2. Scope

This policy applies to:

  • All individuals whose personal information is collected by CFC, including but not limited to beneficiaries, members, employees, volunteers, interns, funders, partners, donors, sponsors, and service users.
  • All digital and physical data collection, storage, processing, and dissemination conducted by CFC.
  • All third-party platforms and service providers engaged by CFC that have access to or process personal data on behalf of CFC.

3. Purpose

The purpose of this policy is to:

  • Safeguard individuals' right to privacy.
  • Ensure transparent and secure handling of personal and sensitive data.
  • Mitigate legal, reputational, and operational risks associated with data breaches or misuse.
  • Comply with legal and regulatory obligations in Nepal and with applicable international standards.

4. Legal and Policy Compliance

CFC shall comply with:

  • Privacy Act of Nepal 2075 (2018), where applicable
  • Privacy Regulation, 2077 (2020), where applicable
  • Data Act, 2079 (2022), where applicable
  • Electronic Transactions Act 2063 (2008), where applicable
  • Consumer Protection Act 2075 (2018), where applicable
  • Consumer Protection Rules, 2076 (2020), where applicable
  • Google Play Developer Privacy and Data Handling Policies
  • Apple App Store Review Guidelines and Data Use Requirements
  • General principles of the GDPR (where international engagement occurs)

5. Definitions

Unless otherwise specified, key terms in this policy refer to:

  • Personal Data: Any information that identifies or can be used to identify an individual.
  • Sensitive Data: Personal data relating to health, biometric data, location, children, or any data that can be used to harm or discriminate.
  • Data Subject: The individual whose data is collected.
  • Consent: Voluntary, informed, and explicit permission given by the data subject.
  • Service Provider: Any third party contracted by CFC to provide services, including cloud, hosting, data analysis, or support.

6. Types of Data Collected

CFC collects the following data, with the subject's consent or lawful basis:

  • Identifying Information: Full name, gender, date of birth, disability
  • Contact Information: Email, phone number, physical address
  • Technical Data: Device ID, IP address, operating system, browser type, access times
  • Location Data: If user enables location permissions
  • Media Content: Photos, videos, documents submitted via mobile or web
  • Social Media Data: Only if user connects via Google, Apple, or Facebook OAuth
  • Usage Data: Time spent on services, pages visited, features used

7. Data Collection Methods

CFC collects data through the following means:

  • Online registration and forms
  • Use of CFC applications and websites
  • Cookies and tracking technologies (see Section 9)
  • In-person registration or surveys
  • Third-party integration (e.g., Google or Apple login)

8. Purpose of Data Collection

Personal data is collected for:

  • Registration and identity verification
  • Service delivery and access to features
  • Communication (newsletters, updates, alerts)
  • Research, monitoring, and evaluation
  • Legal compliance and risk management
  • Improvement of service experience
  • Fundraising and donor engagement, where consented

9. Use of Cookies and Tracking

CFC uses session and persistent cookies to:

  • Authenticate users and maintain sessions
  • Analyze usage patterns
  • Customize content and improve services

Users can manage or delete cookies through browser settings. Declining cookies may limit service functionality.

10. Data Storage and Retention

CFC stores personal data:

  • On secure servers (cloud-based and physical)
  • With industry-standard encryption (SSL, AES-256)
  • In compliance with data minimization and retention laws

Retention timelines:

  • Personal data: Up to 7 years unless deletion is requested or legally required sooner
  • Usage data: Retained for analytics and security purposes up to 3 years

11. Data Sharing and Third Parties

CFC may share data with:

  • Accredited service providers (e.g., hosting, analytics)
  • Legal authorities, as required by Nepali law
  • Donors or researchers (anonymized or with consent)
  • Affiliates or partners for joint service delivery

No personal data is sold to any third party.

12. User Rights

All users have the right to:

  • Access and review personal data
  • Request correction or deletion of their data
  • Withdraw consent at any time
  • Object to or restrict processing
  • File a complaint with relevant authorities (such as the National Information Commission of Nepal)

13. Data of Minors

CFC collects data from children under 18 only:

  • With verifiable parental/guardian consent
  • In accordance with Nepal's Child Rights Act 2075 (2018)

Guardians may contact CFC at any time to review or delete a child's data.

14. Data Security

CFC employs physical, administrative, and technical safeguards including:

  • Two-factor authentication for admin access
  • Role-based access controls
  • Encryption during transmission and at rest
  • Regular security audits and backups

Despite best efforts, absolute security cannot be guaranteed. In case of breach, CFC will notify affected users and regulatory bodies within 72 hours.

15. International Transfers

In cases where data is stored or processed outside Nepal (e.g., cloud services):

  • CFC ensures adherence to equivalent data protection standards
  • Explicit consent is obtained for international data transfers

16. Breach Response and Reporting

In the event of a data breach:

  • The incident will be immediately reported to Executive Committee
  • Affected individuals will be informed
  • Investigation and remedial steps will be taken
  • Report filed to Nepali legal authorities if required

17. Policy Implementation and Monitoring

  • The Executive Committee of CFC is responsible for the enforcement of this policy
  • The IT and Creative Specialist of CFC shall oversee compliance
  • All members, staff, interns, volunteers, funders, partners, donors, sponsors shall be oriented on this policy annually

18. Changes to the Policy

CFC may revise this policy periodically. Updates will be:

  • Communicated via email, app notifications, or website banners
  • Reflected in the "Last Updated" section
  • Deemed accepted by continued use of services

19. Contact Information

For inquiries, requests, or concerns related to privacy and data protection:

  • Email: [email protected]
  • Website: https://www.chainforchange.org.np
  • Request Deletion: https://www.chainforchange.org.np/accounts/request-deletion

Continue Reading

Home